United States Patent and Trademark Office 



UNITED STATES DEl'AKTMEN 1 OF COMMERCE 
1'nikil States l'atint and Trademark Office 

Address: COMMISSIONER FOR PATENTS 



NOTICE OF ALLOWANCE AND FEE(S) DUE 



41505 7590 02/06/2009 | 

WOODCOCK WASHBURN LLP (MICROSOFT CORPORATION) chen qing 

CIR A CENTRE, 12TH FLOOR j art unit ] paper number 

2929 ARCH STREET 1 — 1 

PHILADELPHIA, PA 19104-2891 datemailed: 02/06/2009 



I APPLICATION NO. | FILING DATE j FIRST NAMED INVENTOR | ATTORNEY DOCKET NO. | CONFIRMATION NO. 

10/790,302 03/01/2004 Michael David Marr MSFT-303 1/306162.01 9280 

TITLE OF INVENTION: RUN-TIME CALL STACK VERIFICATION 



APPLN. TYPE SMALL ENTITY ISSUE FEE DUE PUBLICATION FEE DUE PREV. PAID ISSUE FEE TOTAL FEE(S) DUE DATE DUE 



nonprovisional NO $1510 $300 $0 $1810 05/06/2009 

THE APPLICATION IDENTIFIED ABOVE HAS BEEN EXAMINED AND IS ALLOWED FOR ISSUANCE AS A PATENT. 
PROSECUTION ON THE MERITS JS CLOSED . THIS NOTICE OF ALLOWANCE IS NOT A GRANT OF PATENT RIGHTS. 
THIS APPLICATION IS SUBJECT TO WITHDRAWAL FROM ISSUE AT THE INITIATIVE OF THE OFFICE OR UPON 
PETITION BY THE APPLICANT. SEE 37 CFR 1.313 AND MPEP 1308. 

THE ISSUE FEE AND PUBLICATION FEE (IF REQUIRED) MUST BE PAID WITHIN THREE MONTHS FROM THE 
MAILING DATE OF THIS NOTICE OR THIS APPLICATION SHALL BE REGARDED AS ABANDONED. THIS 
STATUTORY PERIOD CANNOT BE EXTENDED . SEE 35 U.S.C. 151. THE ISSUE FEE DUE INDICATED ABOVE DOES 
NOT REFLECT A CREDIT FOR ANY PREVIOUSLY PAID ISSUE FEE IN THIS APPLICATION. IF AN ISSUE FEE HAS 
PREVIOUSLY BEEN PAID IN THIS APPLICATION (AS SHOWN ABOVE), THE RETURN OF PART B OF THIS FORM 
WILL BE CONSIDERED A REQUEST TO REAPPLY THE PREVIOUSLY PAID ISSUE FEE TOWARD THE ISSUE FEE NOW 
DUE. 



HOW TO REPLY TO THIS NOTICE: 



I. Review the SMALL ENTITY status shown above. 

If the SMALL ENTITY is shown as YES, verify your current 
SMALL ENTITY status: 

A. If the status is the same, pay the TOTAL FEE(S) DUE shown 
above. 

B. If the status above is to be removed, check box 5b on Part B - 
Fee(s) Transmittal and pay the PUBLICATION FEE (if required) 
and twice the amount of the ISSUE FEE shown above, or 



If the SMALL ENTITY is shown as NO: 



A. Pay TOTAL FEE(S) DUE shown above, or 



B. If applicant claimed SMALL ENTITY status before, or is now 
claiming SMALL ENTITY status, check box 5a on Part B - Fee(s) 
Transmittal and pay the PUBLICATION FEE (if required) and 1/2 
the ISSUE FEE shown above. 



II. PART B - FEE(S) TRANSMITTAL, or its equivalent, must be completed and returned to the United States Patent and Trademark Office 
(USPTO) with your ISSUE FEE and PUBLICATION FEE (if required). If you are charging the fee(s) to your deposit account, section "4b" 
of Part B - Fee(s) Transmittal should be completed and an extra copy of the form should be submitted. If an equivalent of Part B is filed, a 
request to reapply a previously paid issue fee must be clearly made, and delays in processing may occur due to the difficulty in recognizing 
the paper as an equivalent of Part B. 

III. All communications regarding this application must give the application number. Please direct all communications prior to issuance to 
Mail Stop ISSUE FEE unless advised to the contrary. 

IMPORTANT REMINDER: Utility patents issuing on applications filed on or after Dec. 12, 1980 may require payment of 
maintenance fees. It is patentee's responsibility to ensure timely payment of maintenance fees when due. 



PTOL-85 (Rev. 08/07) Approved for use through 08/3 1/2010. 



Page 1 of 3 



PART B - FEE(S) TRANSMITTAL 

Complete and send this form, together with applicable fee(s), to: Mail Mail Stop ISSUE FEE 

Commissioner for Patents 
P.O. Box 1450 

Alexandria, Virginia 22313-1450 
or Fax (571)-273-2885 



INSTRUCTIONS: This form should be used lor transmitting Ihe ISSUE FEE 
appropriate-. All further correspondence including die Patent. ad\ ancc -Tders anu noirrrcauo 
indicated unless corrected below or directed otherwise in Block I. b\ la) -.peci l\ i ng a new 
~.e fee notifications. 



I I 1,1 I' UION 1 1.1 



required). Blocks 1 through 5 should he completed whf 
nee rees will be mailed to the current correspondence address 
e address: and/or Cb) indicating a separate "FEE ADDRESS" 1 



be used for domestic mailings of the 
>i be used for an\ other accompanying 
ir assignment or formal drawing, must 



kee(s) Transmittal. This certificate c 
papers. Each additional paper, such 
ha\e its own certificate of mailing or 



WOODCOCK WASHBURN LLP (MICROSOFT CORPORATION^reby « 

CIRA CENTRE, 12TH FLOOR St i^l p ?ff l s i. n s . ul !I C c ie T n ^ p ^ g ! J f SL a 

2929 ARCH STREET 



PHILADELPHIA, PA 19104-2891 








| APPLICATION NO. | FILING DATE j FIRST NAMED INVENTOR | ATTORNEY DOCKET NO. | CONFIRMATION NO. 



10/790,302 03/01/2004 
TITLE OF INVENTION: RUN-TIME CALL STACK VERIFICATION 



Michael David Marr 



MSFT-303 1/306162.01 



APPLN. TYPE 



SMALL ENTITY 



ISSUE FEE DUE 



HUE I PREV. PAID ISSUE FEE TOTAL Mil its ) Dt H ■ 



CLASS-SUBCLASS 



CER 1.363). 

□ c 



ir indication of "bee Address" (37 



>B/47: 1 



2. For printing on the patent front page, list 



(2) the name of a single firm (h 
registered attorney or agent) an< 
2 registered patent attorneys or 
listed, no name will be printed. 



s. If n. 



3. ASSIGNEE NAME AND RESIDENCE DATA TO BE l'RIN I ED ON THE PATENT (print or type) 
PLEASE NO 
recordation as 

(A) NAME OF ASSIGNEE (B) RESIDENCE: (CITY and STATE OR COUNTRY) 



Please check the appropriate assignee category or categories (will not be printed on the patent) : Q Individual Q Corporation or other private group entity Q Government 

4a. The following fee(s) are submitted: 4b. Payment of Fee(s ): (Please first reapply any previously paid issue fee shown above) 

Q Issue Fee J A check is enclosed. 

□ Publication Fee (No small entity discount permitted) □ Payment by credit card. Form PTO-2038 is attached. 

Q Advance Order - # of Copies 



overpayment, to Deposit Account Number _ 



5. Change in Entity Status (from statu-, indicated abo\el 

□ a. Applicant claims SMALL ENTITY status. See 37 CFR 1.27. □ b. Applicant is no longer claiming SMALL ENTITY status. See 37 CFR 1.27(g)(2). 



ir the assignee or other parly in 



Authorized Signature 
Typed or printed name _ 



This collection of infoi mat ion i ; required h\ 37 OIR 1.3 1 1. Ihe information is required to obtain or retain a benefit h\ the public which is to file (and h\ the I 'SPTO to process) 
an application. ( 'onfidcnlialilx is go\ emeu h\ 3.s E.S.C. I 33 and 37 CI R 1 . 14. This collection is estimated to take 12 minutes to complete, inc hiding gathering, preparing, and 

submitting the compl i d pplicab n I mi th I'SPTO kirn ill i I | ndin n nil n li i ! i il n mm nl nth n I m 1 quire to complete 

this form and/or susseslions for reducing this burden, should be senl to Ihe ( liiel Information Officer. I .S. l'alenl and Trademark Office. I \S. Department of Commerce. P.O. 
B< 1430. Alexandra. Vircini 231 14 1 DO NOT SEND FEES OR COMPLETED FORMS TO kill vDDRES ,1 I) TO: . mmi ner for Paten P.O. B 1430 
Alexandria. Virginia 22313-1450. 

Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. 



PTOL-85 (Rev. 08/07) Approved for use through 08/3 1/2010. 



OMB 0651-0033 U.S. Patent and Trademark Office: U.S. DEPARTMENT OF COMMERCE 



APPLICATION NO. | FILING DATE j FIRST NAMED INVENTOR | ATTORNEY DOCKET NO. | CONFIRMATION NO. 

10/790,302 03/01/2004 Michael David Marr MSFT-303 1/306162.01 9280 

41505 7590 02/06/2009 I EXAMINER 

WOODCOCK WASHBURN LLP (MICROSOFT CORPORATION) chen qing 

CIR A CENTRE, 12TH FLOOR j art unit ] paper number 

2929 ARCH STREET 1 — 1 

PHILADELPHIA, PA 19104-2891 datemailed: 02/06/2009 



Determination of Patent Term Adjustment under 35 U.S.C. 154 (b) 

(application filed on or after May 29, 2000) 

The Patent Term Adjustment to date is 842 day(s). If the issue fee is paid on the date that is three months after the 
mailing date of this notice and the patent issues on the Tuesday before the date that is 28 weeks (six and a half 
months) after the mailing date of this notice, the Patent Term Adjustment will be 842 day(s). 

If a Continued Prosecution Application (CPA) was filed in the above-identified application, the filing date that 
determines Patent Term Adjustment is the filing date of the most recent CPA. 

Applicant will be able to obtain more detailed information by accessing the Patent Application Information Retrieval 
(PAIR) WEB site (http://pair.uspto.gov). 

Any questions regarding the Patent Term Extension or Adjustment determination should be directed to the Office of 
Patent Legal Administration at (571)-272-7702. Questions relating to issue and publication fee payments should be 
directed to the Customer Service Center of the Office of Patent Publication at l-(888)-786-0101 or 
(571)-272-4200. 



PTOL-85 (Rev. 08/07) Approved for use through 08/3 1/2010. 



Page 3 of 3 





Application No. 


Applicant(s) 


Notice of Allowability 


10/790,302 


MARR ET AL. 


Examiner 


Art Unit 






Qing Chen 


2191 





~ The MAILING DATE of this communication appears on the cover sheet with the correspondence address- 

All claims being allowable, PROSECUTION ON THE MERITS IS (OR REMAINS) CLOSED in this application. If not included 
herewith (or previously mailed), a Notice of Allowance (PTOL-85) or other appropriate communication will be mailed in due course. THIS 
NOTICE OF ALLOWABILITY IS NOT A GRANT OF PATENT RIGHTS. This application is subject to withdrawal from issue at the initiative 
of the Office or upon petition by the applicant. See 37 CFR 1.313 and MPEP 1308. 

1 . |EI This communication is responsive to the amendment filed on November 13, 2008. 

2. The allowed claim(s) is/are 1,2,5-14,16-18,21-23,26 and 27, renumbered as 1-20 . 
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3. □ Copies of the certified copies of the priority documents have been received in this national stage application from the 

International Bureau (PCT Rule 17.2(a)). 
* Certified copies not received: . 

Applicant has THREE MONTHS FROM THE "MAILING DATE" of this communication to file a reply complying with the requirements 
noted below. Failure to timely comply will result in ABANDONMENT of this application. 
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Paper No./Mail Date . 
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each sheet. Replacement sheet(s) should be labeled as such in the header according to 37 CFR 1.121(d). 
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DETAILED ACTION 

1 . This Office action is in response to the amendment filed on November 13, 2008. 

2. Claims 1, 2, 5-14, 16-18, 21-23, 26, and 27 are pending. 

3. Claims 1, 2, 5-12, 18, and 26 have been amended. 

4. Claims 3, 4, 15, 19, 20, 24, and 25 have been canceled. 

5. Claim 27 has been added. 

6. Claims 1, 2, 5-14, 16-18, 21-23, 26, and 27 are allowed, renumbered as 1-20. 

7. The objections to Claims 12-14, 16, and 17 are withdrawn in view of Examiner's 
amendments to the claims. 

Examiner's Amendment 

8. An Examiner's amendment to the record appears below. Should the changes and/or 
additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR 
1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the 
payment of the issue fee. 

Authorization for this Examiner's amendment was given in a telephone interview with 
Kenneth R. Eiferman (Reg. No. 5 1,647) on January 28, 2009. 

The application has been amended as follows: 



AMENDMENTS TO THE CLAIMS 
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The amendment document filed on November 13, 2008 is considered non-compliant 
because it has failed to meet the requirements of 37 CFR 1.121 — namely, the status identifier for 
Claim 23 is incorrect. In order for the amendment document to be compliant, please amend the 
status identifier as follows: 

On page 8 of the amendment document entitled "Amendments to the Claims," please 
replace the status identifier for Claim 23, "Currently Amended," with the status identifier 
"Previously Presented." 

Please cancel Claim 24, add Claim 27, and amend Claims 1, 2, 7, 1 1, 12, 18, and 26 as 
follows: 

1 . (Currently Amended) In a runtime environment comprising a first program module, at 
least one second program module and a call stack, a method of invoking a desired method 
associated with a desired second program module, comprising: 

in a third program module associating each of a plurality of stubs respectively with each 
of a plurality of methods associated with the at least one second program module, wherein each 
stub comprises a code segment performing a unique non-standard calling convention into the at 
least one second program module, wherein each stub includes at least a first instruction to push 
function parameters onto the call stack, a second instruction to call an authenticator module for 
authenticating that a stub has not been modified and a third instruction comprising embedded 
unique data for the stub, wherein the embedded unique data comprises a vtable entry descriptor 
for the desired method, corresponding to a vtable for the third program module, wherein the 
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vtable is covered and comprises a list of function pointers to functions associated with the at least 
one second program module arranged in a random order, the random order unique for each the at 
least one second program module; and 

from the first program module, issuing a first call to a stub in the third program module 
associated with the desired method, whereupon after the first call, the call stack comprises at 
least a first parameter corresponding to a return address associated with the stub, a second 
parameter corresponding to a parameter depth (cArgs) and a third parameter corresponding to a 
return address of the first program module, the first, second and third parameters arranged in a 
top-down order; 

wherein the third program module calls the at least one second program module using a 
non-standard calling convention. 

2. (Currently Amended) The method of claim 1, wherein upon returning to the 
authenticator module from the a jump to the vtable uncovering code, the an address associated 
with the desired method on the program call stack automatically causes calling of the desired 
method associated with the third program module and whereupon completion of the desired 
method, the second return address of the first program module on the program call stack 
automatically causes return to the a cleanup function, whereupon completion of the portion of 
the authenticator module corresponding to the cleanup function, the first return address 
associated with the first program module stub on the program call stack causes return to the first 
program module. 
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7. (Currently Amended) The method of claim [[7]]I, wherein said authentication 
comprises: 

examining the call stack to identify a return address, and determining that the return 
address is part of a program module that is permitted, according to a standard or rule, to invoke 
functionality associated with the at least one second program module. 

1 1 . (Currently Amended) The method of claim 1 , wherein said at least one second 
program module comprises a dynamic-link library. 

12. (Currently Amended) A method of verifying a context in which a first program 
module has been called, the method comprising: 

examining a call stack of a process in which said first program module executes to 
identify a return address in which control of the process will return upon completion of a call to 
said first program module; 

determining that said return address is located within a second program module that is 
permitted to call said first program module, said determining comprising checking a datum that 
represents a calling code used by the second program module, the datum being derived from a 
portion or the entirety of the second program module, the first program module being called by 
the second program module via a third program module having one or more stubs with code 
segments that are callable by the second program module as an intermediary, the one or more 
stubs comprising data required during a verification by the first software program module, said 
data required during said verification being mixed into instruction streams provided by the one or 
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more stubs, the data also comprising information that is used to identify a function that will be 
invoked after the verification^ wherein each stub comprises a code segment performing a unique 
non-standard calling convention into the second program module, wherein each stub includes at 
least a first instruction to push function parameters onto the call stack, a second instruction to 
call an authenticator module for authenticating that a stub has not been modified and a third 
instruction comprising embedded unique data for the stub, wherein the embedded unique data 
comprises a vtable entry descriptor for the a desired method, corresponding to a vtable for the 
third program module, wherein the vtable is covered and comprises a list of function pointers to 
functions associated with the second program module arranged in a random order, the random 
order unique for eaeh the second program module; 

from the first program module, issuing a first call to a stub in the third program module 
associated with the desired method, whereupon after the first call, the call stack comprises at 
least a first parameter corresponding to a return address associated with the stub, a second 
parameter corresponding to a parameter depth (cArgs) and a third parameter corresponding to a 
return address of the first program module, the first, second and third parameters arranged in a 
top-down order; and 



based on the result of said determining act, permitting execution of said first program 
module to proceed and returning to said second software program module which issued the call 
and bypassing said third software program module and the one or more stubs, 

wherein said first program module comprises cryptographic functionality that stores and 
obscures a decryption key and that uses said decryption key to decrypt content. 
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18. (Currently Amended) A program module stored in a computer-readable storage 
medium comprising: 

a function that is performable on behalf of a calling entity; and 

logic that verifies an identity of the calling entity as a condition for performing said 
function, said logic consulting a call stack in order to identify said calling entity and determining 
said identity based on a return address on said call stack, said return address representing a 
location of an instruction to be executed when the program module completes execution, said 
logic checking a datum that represents a calling code used by the calling entity, the datum being 
derived from a portion or the entirety of the calling entity; 

wherein said function is not exposed to said calling entity, and wherein said function is 
exposed to an intermediate entity that is callable by said calling entity, said intermediate entity 
calling upon the program module to perform said function on behalf of said calling entity, said 
intermediate entity comprising one or more stubs that comprise data required by the logic to 
verify the identity of the calling entity, the data being mixed into instruction streams provided by 
the one or more stubs, the data also comprising information that is used to identify the function, 
wherein each stub comprises a code segment performing a unique non-standard calling 
convention into the second program module, wherein each stub includes at least a first 
instruction to push function parameters onto the call stack, a second instruction to call an 
authenticator module for authenticating that a stub has not been modified and a third instruction 
comprising embedded unique data for the stub, wherein the embedded unique data comprises a 
vtable entry descriptor for the a desired method, corresponding to a vtable for the third module 
intermediate entity , wherein the vtable is covered and comprises a list of function pointers to 
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functions associated with the second program module arranged in a random order, the random 
order unique for each second the program module; 

from the calling entity, issuing a first call to a stub in the program module associated with 
the desired method, whereupon after the first call, the call stack comprises at least a first 
parameter corresponding to a return address associated with the stub, a second parameter 
corresponding to a parameter depth (cArgs) and a third parameter corresponding to a return 
address of the calling entity, the first, second and third parameters arranged in a top-down order; 
and 

wherein the program module upon completing said function bypasses the intermediate 
entity and returns to the calling entity's return address. 

24. (Canceled) 

26. (Currently Amended) The method of claim 1, [[,]]whereupon executing the second 
instruction in the stub, an authenticator module is called, the authenticator module : 

verifying that the associated stub has not been modified utilizing the return address of the 
associated stub; 

if verification is not successful, not calling the second program module and terminating 
execution; and 

if verification is successful: 

inserting a first return address of the first program module on the call stock stack ; 
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replacing the stub return address associated with the stub on the call stack with an 
address associated with the desired method; 

replacing the second parameter (cArgs) on the call stack with a second return 
address associated with the authenticator module , the second return address corresponding to a 
portion of the authenticator module for performing a cleanup function; and 

causing a jump into vtable uncovering code associated with the vtable entry 
descriptor , causing execution of the desired method, automatically bypassing the authenticator 
module upon return and automatically calling the cleanup function, wherein the desired method 
authenticates the first program module using the return address of the first program module 
having been preserved on the call stack. 

27. (New) A computer-readable storage medium having stored thereon computer- 
executable instructions for performing the steps of: 

examining a call stack of a process in which said first program module executes to 
identify a return address in which control of the process will return upon completion of a call to 
said first program module; 

determining that said return address is located within a second program module that is 
permitted to call said first program module, said determining comprising checking a datum that 
represents a calling code used by the second program module, the datum being derived from a 
portion or the entirety of the second program module, the first program module being called by 
the second program module via a third program module having one or more stubs with code 
segments that are callable by the second program module as an intermediary, the one or more 
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stubs comprising data required during a verification by the first program module, said data 
required during said verification being mixed into instruction streams provided by the one or 
more stubs, the data also comprising information that is used to identify a function that will be 
invoked after the verification, wherein each stub comprises a code segment performing a unique 
non-standard calling convention into the second program module, wherein each stub includes at 
least a first instruction to push function parameters onto the call stack, a second instruction to 
call an authenticator module for authenticating that a stub has not been modified and a third 
instruction comprising embedded unique data for the stub, wherein the embedded unique data 
comprises a vtable entry descriptor for a desired method, corresponding to a vtable for the third 
program module, wherein the vtable is covered and comprises a list of function pointers to 
functions associated with the second program module arranged in a random order, the random 
order unique for the second program module; 

from the first program module, issuing a first call to a stub in the third program module 
associated with the desired method, whereupon after the first call, the call stack comprises at 
least a first parameter corresponding to a return address associated with the stub, a second 
parameter corresponding to a parameter depth (cArgs) and a third parameter corresponding to a 
return address of the first program module, the first, second and third parameters arranged in a 
top-down order; and 

based on the result of said determining act, permitting execution of said first program 
module to proceed and returning to said second program module which issued the call and 
bypassing said third program module and the one or more stubs, 
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wherein said first program module comprises cryptographic functionality that stores and 
obscures a decryption key and that uses said decryption key to decrypt content. 

- END OF AMENDMENT - 

Reasons for Allowance 

9. The following is an Examiner's statement of reasons for allowance: 

The cited prior art taken alone or in combination fail to teach, in combination with the 
other claimed limitations, "wherein each stub includes at least a first instruction to push function 
parameters onto the call stack, a second instruction to call an authenticator module for 
authenticating that a stub has not been modified and a third instruction comprising embedded 
unique data for the stub, wherein the embedded unique data comprises a vtable entry descriptor 
for the desired method, corresponding to a vtable for the third program module, wherein the 
vtable is covered and comprises a list of function pointers to functions associated with the at least 
one second program module arranged in a random order, the random order unique for the at least 
one second program module" and "from the first program module, issuing a first call to a stub in 
the third program module associated with the desired method, whereupon after the first call, the 
call stack comprises at least a first parameter corresponding to a return address associated with 
the stub, a second parameter corresponding to a parameter depth (cArgs) and a third parameter 
corresponding to a return address of the first program module, the first, second and third 
parameters arranged in a top-down order" as recited in independent Claim 1; and further fail to 
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teach, in combination with the other claimed limitations, similarly-worded limitations recited in 
independent Claims 12, 18, and 27. 

The closest cited prior art, the combination of US 6,003,095 (hereinafter "Pekowski02"), 
US 5,946,486 (hereinafter "PekowskiOl"), and US 6,226,618 (hereinafter "Downs"), teaches an 
apparatus and method for demand loading dynamic link libraries (DLLs) utilized in computer 
programs. However, the combination of Pekowski02, PekowskiOl, and Downs fails to teach 
"wherein each stub includes at least a first instruction to push function parameters onto the call 
stack, a second instruction to call an authcnticator module for authenticating that a stub has not 
been modified and a third instruction comprising embedded unique data for the stub, wherein the 
embedded unique data comprises a vtable entry descriptor for the desired method, corresponding 
to a vtable for the third program module, wherein the vtable is covered and comprises a list of 
function pointers to functions associated with the at least one second program module arranged 
in a random order, the random order unique for the at least one second program module" and 
"from the first program module, issuing a first call to a stub in the third program module 
associated with the desired method, whereupon after the first call, the call stack comprises at 
least a first parameter corresponding to a return address associated with the stub, a second 
parameter corresponding to a parameter depth (cArgs) and a third parameter corresponding to a 
return address of the first program module, the first, second and third parameters arranged in a 
top-down order" as recited in independent Claim 1 ; and further fails to teach similarly- worded 
limitations recited in independent Claims 12, 18, and 27. 

Any comments considered necessary by Applicant must be submitted no later than the 
payment of the issue fee and, to avoid processing delays, should preferably accompany the issue 
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fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for 
Allowance." 



Conclusion 

10. Any inquiry concerning this communication or earlier communications from the 
Examiner should be directed to Qing Chen whose telephone number is 571-270-1071. The 
Examiner can normally be reached on Monday through Thursday from 7:30 AM to 4:00 PM. 
The Examiner can also be reached on alternate Fridays. 

If attempts to reach the Examiner by telephone arc unsuccessful, the Examiner's 
supervisor, Wei Zhen, can be reached on 571-272-3708. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the TC 2100 Group receptionist whose telephone number is 571-272-2100. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



/Q. C.I 

Examiner, Art Unit 2191 
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/Wei Y Zhen/ 

Supervisory Patent Examiner, Art Unit 2191 



